<!DOCTYPE html>
<html lang="">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 5.3.0">
  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">

<link rel="stylesheet" href="/css/main.css">


<link rel="stylesheet" href="//cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free@5/css/all.min.css">
  <link rel="stylesheet" href="//cdn.jsdelivr.net/npm/pace-js@1/themes/blue/pace-theme-minimal.css">
  <script src="//cdn.jsdelivr.net/npm/pace-js@1/pace.min.js"></script>

<script id="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"blog.wendell.pro","root":"/","scheme":"Mist","version":"7.8.0","exturl":false,"sidebar":{"position":"left","display":"always","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":false,"show_result":false,"style":null},"back2top":{"enable":true,"sidebar":false,"scrollpercent":false},"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":false,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},"path":"search.xml"};
  </script>

  <meta name="description" content="导言服务端请求伪造(SSRF),简单来说就是服务器以其身份替攻击者发生任意请求,因为服务器所处的特殊网络位置,很可能有机会访问内部资源,在元环境中,可能会存在包含敏感凭证的元数据断点,造成很严重的危害">
<meta property="og:type" content="article">
<meta property="og:title" content="ssrf_总结.md">
<meta property="og:url" content="http://blog.wendell.pro/2021/01/25/ssrf-%E6%80%BB%E7%BB%93-md-1/index.html">
<meta property="og:site_name" content="Wendell&#39;s blog">
<meta property="og:description" content="导言服务端请求伪造(SSRF),简单来说就是服务器以其身份替攻击者发生任意请求,因为服务器所处的特殊网络位置,很可能有机会访问内部资源,在元环境中,可能会存在包含敏感凭证的元数据断点,造成很严重的危害">
<meta property="og:locale">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/W4ndell/static/img/image-20210130165750986.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/W4ndell/static/img/image-20210202115140626.png">
<meta property="article:published_time" content="2021-01-25T07:00:18.000Z">
<meta property="article:modified_time" content="2021-02-25T07:17:39.263Z">
<meta property="article:author" content="Wendell">
<meta property="article:tag" content="ssrf">
<meta property="article:tag" content="知识总结">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://cdn.jsdelivr.net/gh/W4ndell/static/img/image-20210130165750986.png">

<link rel="canonical" href="http://blog.wendell.pro/2021/01/25/ssrf-%E6%80%BB%E7%BB%93-md-1/">


<script id="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : false,
    isPost : true,
    lang   : 'default'
  };
</script>

  <title>ssrf_总结.md | Wendell's blog</title>
  






  <noscript>
  <style>
  .use-motion .brand,
  .use-motion .menu-item,
  .sidebar-inner,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line-before i { left: initial; }
  .use-motion .logo-line-after i { right: initial; }
  </style>
</noscript>

<link rel="alternate" href="/atom.xml" title="Wendell's blog" type="application/atom+xml">
</head>

<body itemscope itemtype="http://schema.org/WebPage">
  <div class="container use-motion">
    <div class="headband"></div>

    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="Toggle navigation bar">
      <span class="toggle-line toggle-line-first"></span>
      <span class="toggle-line toggle-line-middle"></span>
      <span class="toggle-line toggle-line-last"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/" class="brand" rel="start">
      <span class="logo-line-before"><i></i></span>
      <h1 class="site-title">Wendell's blog</h1>
      <span class="logo-line-after"><i></i></span>
    </a>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
    </div>
  </div>
</div>




<nav class="site-nav">
  <ul id="menu" class="main-menu menu">
        <li class="menu-item menu-item-home">

    <a href="/" rel="section"><i class="fa fa-home fa-fw"></i>Home</a>

  </li>
        <li class="menu-item menu-item-archives">

    <a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>Archives</a>

  </li>
        <li class="menu-item menu-item-tags">

    <a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>Tags</a>

  </li>
        <li class="menu-item menu-item-categories">

    <a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>Categories</a>

  </li>
  </ul>
</nav>




</div>
    </header>

    
  <div class="back-to-top">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>


    <main class="main">
      <div class="main-inner">
        <div class="content-wrap">
          

          <div class="content post posts-expand">
            

    
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="default">
    <link itemprop="mainEntityOfPage" href="http://blog.wendell.pro/2021/01/25/ssrf-%E6%80%BB%E7%BB%93-md-1/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/avatar.jpg">
      <meta itemprop="name" content="Wendell">
      <meta itemprop="description" content="Wendell blog">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="Wendell's blog">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          ssrf_总结.md
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">Posted on</span>

              <time title="Created: 2021-01-25 15:00:18" itemprop="dateCreated datePublished" datetime="2021-01-25T15:00:18+08:00">2021-01-25</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="far fa-calendar-check"></i>
                </span>
                <span class="post-meta-item-text">Edited on</span>
                <time title="Modified: 2021-02-25 15:17:39" itemprop="dateModified" datetime="2021-02-25T15:17:39+08:00">2021-02-25</time>
              </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">In</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/Web%E5%AE%89%E5%85%A8/" itemprop="url" rel="index"><span itemprop="name">Web安全</span></a>
                </span>
            </span>

          
            <span class="post-meta-item" title="Views" id="busuanzi_container_page_pv" style="display: none;">
              <span class="post-meta-item-icon">
                <i class="fa fa-eye"></i>
              </span>
              <span class="post-meta-item-text">Views: </span>
              <span id="busuanzi_value_page_pv"></span>
            </span>

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
        <h2 id="导言"><a href="#导言" class="headerlink" title="导言"></a>导言</h2><p>服务端请求伪造(SSRF),简单来说就是服务器以其身份替攻击者发生任意请求,因为服务器所处的特殊网络位置,很可能有机会访问内部资源,在元环境中,可能会存在包含敏感凭证的元数据断点,造成很严重的危害</p>
<a id="more"></a>
<p>比如一个在线翻译服务,服务器需要请求用户给定的url并且翻译后将内容回显,这时服务器就需要通过自己特殊的网络位置发生请求,造成漏洞</p>
<p>例如刚刚在线翻译服务的那个场景,攻击者唯一可控的只有url,那么怎么利用url达成攻击呢</p>
<p>答案是协议,Web攻击可以达到的效果,取决于可控参数传入的函数,支持的功能,除了http,https协议,还有很多其他的协议可以利用</p>
<p><img src="https://cdn.jsdelivr.net/gh/W4ndell/static/img/image-20210130165750986.png" alt="image-20210130165750986"></p>
<p>上图是curl支持的协议</p>
<p>我们可以这里理解ssrf攻击</p>
<p>curl类似一个函数,会把我们传入的url转成对应的tcp或udp报文,发送到对应的host和端口,</p>
<p>我们要利用可控的url操作curl生成的报文,然后对内网的服务进行攻击</p>
<p>我们容易想到我们可以操控得到的流量会有三者情况</p>
<ol>
<li><p>可交互的tcp流</p>
<p>这种应该只会在极其特殊的情况下才会出现</p>
</li>
<li><p>完全可控的一次tcp流</p>
<p>只可以发送一次,但是内容完全可控,这种会在c协议出现,或者在对ftp服务器的进一步利用出现</p>
</li>
<li><p>受限的部分可控的一次tcp流</p>
<p>dict协议,http,https协议都有可能出现这种情况</p>
</li>
</ol>
<p>##可利用的协议</p>
<h3 id="file协议"><a href="#file协议" class="headerlink" title="file协议"></a>file协议</h3><p>file协议可以直接读取文件</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">% curl file:&#x2F;&#x2F;&#x2F;etc&#x2F;passwd</span><br><span class="line">nobody:*:-2:-2:Unprivileged User:&#x2F;var&#x2F;empty:&#x2F;usr&#x2F;bin&#x2F;false</span><br><span class="line">root:*:0:0:System Administrator:&#x2F;var&#x2F;root:&#x2F;bin&#x2F;sh</span><br></pre></td></tr></table></figure>


<h3 id="gopher"><a href="#gopher" class="headerlink" title="gopher"></a>gopher</h3><p><em>Gopher协议是</em>internet的<em>一个</em>信息查找系统,他出现在www之前,现在支持gopher协议的客户端已经越来越少了</p>
<p>但是他是可以达到完全可控的一次tcp流,这个效果的,可以说是攻击面最广的一个协议了,http的post请求,redis的设置请求,都可以伪造</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gopher:&#x2F;&#x2F;127.0.0.1:4002&#x2F;_%65%76%61%6c%5f%64%61%74%61</span><br></pre></td></tr></table></figure>
<p>格式为gopher://127.0.0.1:4002/_后面是要传输内容的url编码</p>
<p>![image-20210202114911256](../../../../Library/Application Support/typora-user-images/image-20210202114911256.png)</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> socket</span><br><span class="line"><span class="keyword">import</span> threading</span><br><span class="line"><span class="keyword">from</span> urllib.parse <span class="keyword">import</span> quote</span><br><span class="line"><span class="comment">## 实际内部服务端口</span></span><br><span class="line">source_host = <span class="string">&#x27;127.0.0.1&#x27;</span></span><br><span class="line">source_port = <span class="number">8080</span></span><br><span class="line"></span><br><span class="line"><span class="comment">## 外部传入端口</span></span><br><span class="line">desc_host = <span class="string">&#x27;0.0.0.0&#x27;</span></span><br><span class="line">desc_port = <span class="number">8082</span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">log_data</span>(<span class="params">data</span>):</span></span><br><span class="line">    <span class="keyword">with</span> <span class="built_in">open</span>(<span class="string">&#x27;log.txt&#x27;</span>,<span class="string">&#x27;ab+&#x27;</span>) <span class="keyword">as</span> f:</span><br><span class="line">        f.write(<span class="string">b&#x27;------bin----------\r\n&#x27;</span>)</span><br><span class="line">        f.write(data)</span><br><span class="line">        f.write(<span class="string">b&#x27;\r\n-----\r\n&#x27;</span>)</span><br><span class="line">        f.write(<span class="string">b&#x27;gopher://127.0.0.1:%d/_&#x27;</span>%source_port + quote(data).encode())</span><br><span class="line">        f.write(<span class="string">b&#x27;-------url---------\r\n&#x27;</span>)</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">send</span>(<span class="params">sender, recver</span>):</span></span><br><span class="line">    <span class="keyword">while</span> <span class="number">1</span>:</span><br><span class="line">        <span class="keyword">try</span>:</span><br><span class="line">            data = sender.recv(<span class="number">2048</span>)</span><br><span class="line">        <span class="keyword">except</span>:</span><br><span class="line">            <span class="keyword">break</span></span><br><span class="line">            print(<span class="string">&quot;recv error&quot;</span>)</span><br><span class="line">        <span class="keyword">try</span>:</span><br><span class="line">            log_data(data)</span><br><span class="line">            recver.sendall(data)</span><br><span class="line">        <span class="keyword">except</span>:</span><br><span class="line">            print(<span class="string">&quot;send error&quot;</span>)    </span><br><span class="line">            sender.close()</span><br><span class="line">            <span class="keyword">break</span></span><br><span class="line">    recver.close()</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">proxy</span>(<span class="params">client</span>):</span></span><br><span class="line">    server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)</span><br><span class="line">    server.connect((source_host, source_port))</span><br><span class="line">    threading.Thread(target=send, args=(client, server)).start()</span><br><span class="line">    threading.Thread(target=send, args=(server, client)).start()</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">main</span>():</span></span><br><span class="line">    proxy_server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)</span><br><span class="line">    proxy_server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, <span class="number">1</span>)</span><br><span class="line">    proxy_server.bind((desc_host, desc_port))</span><br><span class="line">    proxy_server.listen(<span class="number">50</span>)</span><br><span class="line"></span><br><span class="line">    print(<span class="string">&quot;Proxying from %s:%s to %s:%s ...&quot;</span>%(desc_host, desc_port,source_host, source_port)) </span><br><span class="line">    <span class="keyword">while</span> <span class="literal">True</span>:</span><br><span class="line">        conn, addr = proxy_server.accept()</span><br><span class="line">        print(<span class="string">&quot;received connect from %s:%s&quot;</span>%(addr[<span class="number">0</span>], addr[<span class="number">1</span>]))    </span><br><span class="line">        threading.Thread(target=proxy, args=(conn, )).start()</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">&#x27;__main__&#x27;</span>:</span><br><span class="line">    main()</span><br></pre></td></tr></table></figure>
<p>可以使用这个脚本,转发并且记录流量,转成gopher的形式</p>
<h3 id="dict协议"><a href="#dict协议" class="headerlink" title="dict协议"></a>dict协议</h3><p><img src="https://cdn.jsdelivr.net/gh/W4ndell/static/img/image-20210202115140626.png" alt="image-20210202115140626"></p>
<p>dict协议是词典网络协议,url-path部分的字符会直接发送,达到受限的部分可控的一次tcp流攻击效果,但是无法加入一些特殊字符,无法换行,攻击效果受限,常用来攻击redis</p>
<h3 id="CRLF攻击"><a href="#CRLF攻击" class="headerlink" title="CRLF攻击"></a>CRLF攻击</h3><p> <a target="_blank" rel="noopener" href="https://www.cvedetails.com/cve/CVE-2019-9740/">CVE-2019-9740</a>urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3都曾出过CRLF漏洞</p>
<p><a target="_blank" rel="noopener" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5699">CVE-2016-5699</a>Python 2.7.10之前的版本和3.4.4之前的3.x 版本中的 urllib2和urllib中的‘HTTPConnection.putheader’函数存在CRLF注入漏洞</p>
<h3 id="http协议"><a href="#http协议" class="headerlink" title="http协议"></a>http协议</h3><p>因为http应用很光,单纯http协议,也可以攻击部分web内网应用,如果docker开启了tcp监听,也可以进行攻击</p>
<h3 id="ftp协议"><a href="#ftp协议" class="headerlink" title="ftp协议"></a>ftp协议</h3><ul>
<li>利用被动模式</li>
</ul>
<p>在<a target="_blank" rel="noopener" href="https://github.com/dfyz/ctf-writeups/tree/master/hxp-2020">hxp-2020</a><strong>resonator</strong>/</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">$file &#x3D; $_GET[&#39;file&#39;] ?? &#39;&#x2F;tmp&#x2F;file&#39;;</span><br><span class="line">$data &#x3D; $_GET[&#39;data&#39;] ?? &#39;:)&#39;;</span><br><span class="line">file_put_contents($file, $data);</span><br><span class="line">echo file_get_contents($file);</span><br></pre></td></tr></table></figure>
<p>出现的这样一个利用姿势,利用一个恶意的ftp服务器,当php使用file_put_contents向ftp服务器上传数据时,服务器开启被动模式,返回127.0.0.1:9000 这个地址,内容就被发往本地的fpm服务器,造成rce</p>
<ul>
<li><p>利用ftp主动模式</p>
<p>在starctf2021/web-oh-my-bet,出现了这样一个姿势</p>
<p>在python的pyftpdlib启动的ftp服务器中,如果配置</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">handler.permit_foreign_addresses &#x3D; True</span><br></pre></td></tr></table></figure>
<p>既ftp服务器在主动模式中,对用户来源ip地址和用户主动模式给出ip地址不做校验</p>
<p>则可以恶意用户则可以连接ftp服务器,上传恶意文件后,使用主动模式下载,这是给服务器恶意内网地址,造成攻击,</p>
<p>如果内网有ftp服务器,利用ftp服务器对tcp流的容错,则可以,受限的部分可控的一次tcp流,转成把完全可控的一次tcp流</p>
</li>
</ul>
<h3 id="TLS协议"><a href="#TLS协议" class="headerlink" title="TLS协议"></a>TLS协议</h3><p><a target="_blank" rel="noopener" href="https://i.blackhat.com/USA-20/Wednesday/us-20-Maddux-When-TLS-Hacks-You.pdf">https://i.blackhat.com/USA-20/Wednesday/us-20-Maddux-When-TLS-Hacks-You.pdf</a></p>
<p>利用tls的会话复用机制,可以实现ssrf只要支持https协议,就可以造成受限的部分可控的一次tcp流攻击</p>
<h2 id="可攻击的应用"><a href="#可攻击的应用" class="headerlink" title="可攻击的应用"></a>可攻击的应用</h2><p>本质上来说,只要在内网监听了端口,都有可能被攻击,但是因为协议中可控内容有限,还是有一些限制 的,</p>
<h3 id="redis"><a href="#redis" class="headerlink" title="redis"></a>redis</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">docker run -d -p 6379:6379 ju5ton1y&#x2F;redis</span><br></pre></td></tr></table></figure>
<p>redis使用的是<strong>RESP</strong> (REdis Serialization Protocol),本质上只是规定了将命令行命令转为tcp传输的封装方式</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">auth 123123</span><br><span class="line">转为</span><br><span class="line">*2</span><br><span class="line">$4</span><br><span class="line">auth</span><br><span class="line">$6</span><br><span class="line">123123</span><br><span class="line">在tcp中传输,先利用*声明一个长度为2的数组,$number代表每个元素的长度,</span><br></pre></td></tr></table></figure>
<p>并且redis是支持管道操作的,也就是说可以一次发生多次操作,而不需要等待服务器回复</p>
<p>而且redis认证的本质也是请求前,发送了上述auth命令,也就是说,如果你通过其他途径得到了redis密码,或者进行爆破,有认证的redis也是可以被攻击的</p>
<p>在我实验的redis_version:3.2.11中,redis对</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">POST,</span><br><span class="line">Host:</span><br></pre></td></tr></table></figure>
<p>做了检测,如果匹配到会直接结束连接,应该是为了防止http POST或者crlf攻击redis,但是redis没有banGET</p>
<p>在python的<a target="_blank" rel="noopener" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5699">CVE-2016-5699</a>CRLF注入中,因为payload是注入在Host之后,所以无法攻击,虽然它可以通过SNI注入,去掉GET,但是因为有特殊字符的问题,redis也无法攻击.</p>
<p>python的 CVE-2019-9740,CRLF注入,因为是url处,所以可以攻击redis</p>
<h4 id="攻击姿势"><a href="#攻击姿势" class="headerlink" title="攻击姿势"></a>攻击姿势</h4><p>参考</p>
<p><a target="_blank" rel="noopener" href="https://paper.seebug.org/1169/#_1">https://paper.seebug.org/1169/#_1</a></p>
<p><a target="_blank" rel="noopener" href="https://www.anquanke.com/post/id/214108#h3-12">https://www.anquanke.com/post/id/214108#h3-12</a></p>
<p>比较常见的利用姿势的有写文件,利用主从复制getshell,或者改数据触发反序列化,或者低版本的rce等</p>
<p><a target="_blank" rel="noopener" href="https://redis.io/topics/protocol">https://redis.io/topics/protocol</a></p>
<p><a target="_blank" rel="noopener" href="https://www.anquanke.com/post/id/181599#h2-2">https://www.anquanke.com/post/id/181599#h2-2</a></p>
<p><a target="_blank" rel="noopener" href="https://www.anquanke.com/post/id/214108#h3-15">https://www.anquanke.com/post/id/214108#h3-15</a></p>
<h3 id="docker"><a href="#docker" class="headerlink" title="docker"></a>docker</h3><p>可以看p神这篇文章</p>
<p><a target="_blank" rel="noopener" href="https://mp.weixin.qq.com/s/X04IhY9Oau-kDOVbok8wEw">https://mp.weixin.qq.com/s/X04IhY9Oau-kDOVbok8wEw</a></p>
<p>如果docker配置了监听tcp端口,则可以通过ssrf攻击,只要有可控的http的post方法,就可以造成rce,利用create和exec的姿势需要path和body都可控,p神在这篇文章中</p>
<h3 id="uWSGI"><a href="#uWSGI" class="headerlink" title="uWSGI"></a>uWSGI</h3><p>通过ssrf攻击uWSGI实现rce,</p>
<p>因为在uwsgi的协议中，允许传递一些魔术变量,调整参数,利用UWSGI_FILE变量,可以动态加载新的文件执行,并且uWSGI程序中默认注册了一系列schemes,可以通过这些schemes直接进行rce</p>
<p><a target="_blank" rel="noopener" href="https://github.com/wofeiwo/webcgi-exploits/blob/master/python/uwsgi-rce-zh.md">https://github.com/wofeiwo/webcgi-exploits/blob/master/python/uwsgi-rce-zh.md</a></p>
<h3 id="php-fpm"><a href="#php-fpm" class="headerlink" title="php-fpm"></a>php-fpm</h3><p>一般监听9000端口通过完全可控的一次tcp流可以rce,一般利用方法为</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line">&#123;</span><br><span class="line">    &#39;GATEWAY_INTERFACE&#39;: &#39;FastCGI&#x2F;1.0&#39;,</span><br><span class="line">    &#39;REQUEST_METHOD&#39;: &#39;GET&#39;,</span><br><span class="line">    &#39;SCRIPT_FILENAME&#39;: &#39;&#x2F;var&#x2F;www&#x2F;html&#x2F;index.php&#39;,</span><br><span class="line">    &#39;SCRIPT_NAME&#39;: &#39;&#x2F;index.php&#39;,</span><br><span class="line">    &#39;QUERY_STRING&#39;: &#39;?a&#x3D;1&amp;b&#x3D;2&#39;,</span><br><span class="line">    &#39;REQUEST_URI&#39;: &#39;&#x2F;index.php?a&#x3D;1&amp;b&#x3D;2&#39;,</span><br><span class="line">    &#39;DOCUMENT_ROOT&#39;: &#39;&#x2F;var&#x2F;www&#x2F;html&#39;,</span><br><span class="line">    &#39;SERVER_SOFTWARE&#39;: &#39;php&#x2F;fcgiclient&#39;,</span><br><span class="line">    &#39;REMOTE_ADDR&#39;: &#39;127.0.0.1&#39;,</span><br><span class="line">    &#39;REMOTE_PORT&#39;: &#39;12345&#39;,</span><br><span class="line">    &#39;SERVER_ADDR&#39;: &#39;127.0.0.1&#39;,</span><br><span class="line">    &#39;SERVER_PORT&#39;: &#39;80&#39;,</span><br><span class="line">    &#39;SERVER_NAME&#39;: &quot;localhost&quot;,</span><br><span class="line">    &#39;SERVER_PROTOCOL&#39;: &#39;HTTP&#x2F;1.1&#39;</span><br><span class="line">    &#39;PHP_VALUE&#39;: &#39;auto_prepend_file &#x3D; php:&#x2F;&#x2F;input&#39;,</span><br><span class="line">    &#39;PHP_ADMIN_VALUE&#39;: &#39;allow_url_include &#x3D; On&#39;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<p>FastCGI 协议可以通过PHP_ADMIN_VALUE和PHP_VALUE指定php配置值,通过配置自动包含php://input,而进行rce</p>
<h2 id="参考资料"><a href="#参考资料" class="headerlink" title="参考资料"></a>参考资料</h2><p><a target="_blank" rel="noopener" href="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery">https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery</a></p>
<p><a target="_blank" rel="noopener" href="https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf">https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf</a></p>
<p><a target="_blank" rel="noopener" href="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery#file">https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery#file</a></p>

    </div>

    
    
    
        

  <div class="followme">
    <p>Welcome to my other publishing channels</p>

    <div class="social-list">

        <div class="social-item">
          <a target="_blank" class="social-link" href="/atom.xml">
            <span class="icon">
              <i class="fa fa-rss"></i>
            </span>

            <span class="label">RSS</span>
          </a>
        </div>
    </div>
  </div>


      <footer class="post-footer">
          <div class="post-tags">
              <a href="/tags/ssrf/" rel="tag"># ssrf</a>
              <a href="/tags/%E7%9F%A5%E8%AF%86%E6%80%BB%E7%BB%93/" rel="tag"># 知识总结</a>
          </div>

        


        
    <div class="post-nav">
      <div class="post-nav-item">
    <a href="/2021/01/19/csp-%E7%BB%95%E8%BF%87-%E6%80%BB%E7%BB%93-md/" rel="prev" title="csp_绕过_总结.md">
      <i class="fa fa-chevron-left"></i> csp_绕过_总结.md
    </a></div>
      <div class="post-nav-item">
    <a href="/2021/01/29/BlackHat2020%20%E8%AE%AE%E9%A2%98%20When%20TLS%20Hacks%20You%20%E5%A4%8D%E7%8E%B0/" rel="next" title="BlackHat2020 议题 「When TLS Hacks You」 复现">
      BlackHat2020 议题 「When TLS Hacks You」 复现 <i class="fa fa-chevron-right"></i>
    </a></div>
    </div>
      </footer>
    
  </article>
  
  
  



          </div>
          

<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      let commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>

        </div>
          
  
  <div class="toggle sidebar-toggle">
    <span class="toggle-line toggle-line-first"></span>
    <span class="toggle-line toggle-line-middle"></span>
    <span class="toggle-line toggle-line-last"></span>
  </div>

  <aside class="sidebar">
    <div class="sidebar-inner">

      <ul class="sidebar-nav motion-element">
        <li class="sidebar-nav-toc">
          Table of Contents
        </li>
        <li class="sidebar-nav-overview">
          Overview
        </li>
      </ul>

      <!--noindex-->
      <div class="post-toc-wrap sidebar-panel">
          <div class="post-toc motion-element"><ol class="nav"><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%AF%BC%E8%A8%80"><span class="nav-number">1.</span> <span class="nav-text">导言</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#file%E5%8D%8F%E8%AE%AE"><span class="nav-number">1.1.</span> <span class="nav-text">file协议</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#gopher"><span class="nav-number">1.2.</span> <span class="nav-text">gopher</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#dict%E5%8D%8F%E8%AE%AE"><span class="nav-number">1.3.</span> <span class="nav-text">dict协议</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#CRLF%E6%94%BB%E5%87%BB"><span class="nav-number">1.4.</span> <span class="nav-text">CRLF攻击</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#http%E5%8D%8F%E8%AE%AE"><span class="nav-number">1.5.</span> <span class="nav-text">http协议</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#ftp%E5%8D%8F%E8%AE%AE"><span class="nav-number">1.6.</span> <span class="nav-text">ftp协议</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#TLS%E5%8D%8F%E8%AE%AE"><span class="nav-number">1.7.</span> <span class="nav-text">TLS协议</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%8F%AF%E6%94%BB%E5%87%BB%E7%9A%84%E5%BA%94%E7%94%A8"><span class="nav-number">2.</span> <span class="nav-text">可攻击的应用</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#redis"><span class="nav-number">2.1.</span> <span class="nav-text">redis</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#%E6%94%BB%E5%87%BB%E5%A7%BF%E5%8A%BF"><span class="nav-number">2.1.1.</span> <span class="nav-text">攻击姿势</span></a></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#docker"><span class="nav-number">2.2.</span> <span class="nav-text">docker</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#uWSGI"><span class="nav-number">2.3.</span> <span class="nav-text">uWSGI</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#php-fpm"><span class="nav-number">2.4.</span> <span class="nav-text">php-fpm</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%8F%82%E8%80%83%E8%B5%84%E6%96%99"><span class="nav-number">3.</span> <span class="nav-text">参考资料</span></a></li></ol></div>
      </div>
      <!--/noindex-->

      <div class="site-overview-wrap sidebar-panel">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
    <img class="site-author-image" itemprop="image" alt="Wendell"
      src="/avatar.jpg">
  <p class="site-author-name" itemprop="name">Wendell</p>
  <div class="site-description" itemprop="description">Wendell blog</div>
</div>
<div class="site-state-wrap motion-element">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/archives/">
        
          <span class="site-state-item-count">5</span>
          <span class="site-state-item-name">posts</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
            <a href="/categories/">
          
        <span class="site-state-item-count">3</span>
        <span class="site-state-item-name">categories</span></a>
      </div>
      <div class="site-state-item site-state-tags">
            <a href="/tags/">
          
        <span class="site-state-item-count">8</span>
        <span class="site-state-item-name">tags</span></a>
      </div>
  </nav>
</div>
  <div class="links-of-author motion-element">
      <span class="links-of-author-item">
        <a href="https://github.com/W4ndell" title="GitHub → https:&#x2F;&#x2F;github.com&#x2F;W4ndell" rel="noopener" target="_blank"><i class="fab fa-github fa-fw"></i>GitHub</a>
      </span>
  </div>


  <div class="links-of-blogroll motion-element">
    <div class="links-of-blogroll-title"><i class="fa fa-link fa-fw"></i>
      友情链接
    </div>
    <ul class="links-of-blogroll-list">
        <li class="links-of-blogroll-item">
          <a href="http://www.whiskeyjj.com/" title="http:&#x2F;&#x2F;www.whiskeyjj.com&#x2F;" rel="noopener" target="_blank">绝望的肉</a>
        </li>
        <li class="links-of-blogroll-item">
          <a href="http://www.yang99.top/" title="http:&#x2F;&#x2F;www.yang99.top&#x2F;" rel="noopener" target="_blank">Yang_99</a>
        </li>
        <li class="links-of-blogroll-item">
          <a href="http://www.fzwjscj.xyz/" title="http:&#x2F;&#x2F;www.fzwjscj.xyz&#x2F;" rel="noopener" target="_blank">fzwjscj</a>
        </li>
        <li class="links-of-blogroll-item">
          <a href="http://cherryc4t.top/" title="http:&#x2F;&#x2F;cherryc4t.top&#x2F;" rel="noopener" target="_blank">cherryc4t</a>
        </li>
        <li class="links-of-blogroll-item">
          <a href="http://www.7yue.top/" title="http:&#x2F;&#x2F;www.7yue.top&#x2F;" rel="noopener" target="_blank">7yue</a>
        </li>
        <li class="links-of-blogroll-item">
          <a href="http://gh0st.top/" title="http:&#x2F;&#x2F;gh0st.top" rel="noopener" target="_blank">gh0st</a>
        </li>
    </ul>
  </div>

      </div>

    </div>
  </aside>
  <div id="sidebar-dimmer"></div>


      </div>
    </main>

    <footer class="footer">
      <div class="footer-inner">
        

        

<div class="copyright">
  
  &copy; 2019 – 
  <span itemprop="copyrightYear">2021</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">Wendell</span>
</div>
  <div class="powered-by">Powered by <a href="https://hexo.io/" class="theme-link" rel="noopener" target="_blank">Hexo</a> & <a href="https://mist.theme-next.org/" class="theme-link" rel="noopener" target="_blank">NexT.Mist</a>
  </div><script color="0,0,0" opacity="0.5" zIndex="-1" count="99" src="https://cdn.jsdelivr.net/npm/canvas-nest.js@1/dist/canvas-nest.js"></script>

        
<div class="busuanzi-count">
  <script async src="https://busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
    <span class="post-meta-item" id="busuanzi_container_site_uv" style="display: none;">
      <span class="post-meta-item-icon">
        <i class="fa fa-user"></i>
      </span>
      <span class="site-uv" title="Total Visitors">
        <span id="busuanzi_value_site_uv"></span>
      </span>
    </span>
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item" id="busuanzi_container_site_pv" style="display: none;">
      <span class="post-meta-item-icon">
        <i class="fa fa-eye"></i>
      </span>
      <span class="site-pv" title="Total Views">
        <span id="busuanzi_value_site_pv"></span>
      </span>
    </span>
</div>








      </div>
    </footer>
  </div>

  
  <script src="//cdn.jsdelivr.net/npm/animejs@3.1.0/lib/anime.min.js"></script>
  <script src="/lib/velocity/velocity.min.js"></script>
  <script src="/lib/velocity/velocity.ui.min.js"></script>

<script src="/js/utils.js"></script>

<script src="/js/motion.js"></script>


<script src="/js/schemes/muse.js"></script>


<script src="/js/next-boot.js"></script>




  















  

  

</body>
</html>
